Google on Tuesday released updates to fix four security issues in the Chrome browser, including a zero-day vulnerability that has been actively exploited.
The case, as follows CVE-2024-0519This is about out-of-bounds memory access in the V8 JavaScript and WebAssembly engine, which can be weaponized by threat actors to trigger the crash.
“By reading out-of-bounds memory, an attacker may be able to obtain secret values, such as memory addresses, which can bypass protection mechanisms such as ASLR in order to improve reliability and potentially exploit a separate vulnerability to achieve code execution rather than simply denial of service,” according to the statement. for MITRE’s Common Weaknesses Enumeration (CWE).
Additional details about the nature of the attacks and which actors may exploit them have been withheld in an attempt to prevent further exploitation. The issue was reported anonymously on January 11, 2024.
“Out-of-bounds memory access in V8 in Google Chrome before 120.0.6099.224 allowed a remote attacker to exploit heap corruption via a crafted HTML page,” reads a description of the flaw in NIST’s National Vulnerability Database (NVD).
This development marks the first active zero-day exploit to be patched by Google in Chrome in 2024. Last year, the tech giant resolved a total of 8 active zero-day exploits in the browser.
Users are advised to upgrade to Chrome version 120.0.6099.224/225 for Windows, 120.0.6099.234 for macOS, and 120.0.6099.224 for Linux to mitigate potential threats.
Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also encouraged to apply fixes when they become available.